i nn oimu ill iiiii m iiii in inn iib dih iiiii imii iiii hi hi 

US006609148B1 

(12) United States Patent a<» Patent No,: us 6,609,148 bi 

Salo et al. (45) Date of Patent: Aug. 19, 2003 


(54) CLIENTS REMOTE ACCESS TO 

ENTERPRISE NETWORKS EMPLOYING 
ENTERPRISE GATEWAY SERVERS IN A 
CENTRALIZED DATA CENTER 
CONVERTING PLURALITY OF DATA 
REQUESTS FOR MESSAGING AND 
COLLABORATION INTO A SINGLE 
REQUEST 

(76) Inventors: Randy Salo, 1441 Yost Dr., San Diego, 
CA (US) 92109; Chris Van 
Hamersveld, 1014 Honeysuckle Dr., 
San Marcos, CA (US) 92069; Barry K. 
Shelton, 12272 Misty Blue Ct., San 
Diego, CA (US) 92131; Larry 
Herbinaux, 843A Hampton Ct., Vista, 
CA (US) 92084; D. Brian Deacon, 
1285 Navel PI., Vista, CA (US) 92081; 
Kenneth Eugene Fayal, Jr., 5890C 
Reo Ter., San Diego, CA(US) 92117 

( * ) Notice: Subject to any disclaimer, the term of this 
patent is extended or adjusted under 35 
U.S.C. 154(b) by 0 days. 

(21) AppL No.: 09/436,661 

(22) Filed: Nov. 10, 1999 

(51) Int. CI. 7 G06F 15/16 

(52) U.S. CI 709/217; 709/201; 709/202; 

709/203; 709/218; 709/219; 707/10; 707/102 

(58) Field of Search 709/201-203, 

709/217-219; 707/10, 102 

(56) References Cited 

U.S. PATENT DOCUMENTS 
5,805,803 A * 9/1998 Birrell et al 713/201 


5,974,416 A 
6,061,650 A 
6,256,666 Bl 
6,324,681 Bl 
6,359,892 Bl 
6,397,220 Bl 
6,415,288 Bl 
6,496,850 Bl 
6,499,137 Bl 
2002/0072830 Al 


10/1999 Anand et al 707/10 

5/2000 Malkin et al 370/401 

7/2001 Singhal 709/203 

11/2001 Sebesta et al 707/10 

3/2002 Szlam 370/401 

5/2002 Deisingcr ct al 707/102 

7/2002 Gebauer 707/10 

12/2002 Bowman -Amu ah 709/203 

12/2002 Hunt 717/164 

6/2002 Hunt 701/1 


OTHER PUBLICATIONS 


US 2002/0072830 Al. 
* cited by examiner 


Primary Examiner — Nabil El-Hady 

(74) Attorney, Agent, or Firm— Philip R. Wadsworth; 
Gregory D. Ogrod; Abdollah Katbab 


(57) 


ABSTRACT 


A computer system includes an enterprise gateway server 
and a remote gateway server connected via a data network, 
such as the Internet, that is relatively inefficient compared to 
typical private networks. The remote gateway server inter- 
faces the enterprise gateway server to corporate messaging 
and collaboration data stored locally relative to the remote 
gateway server. The enterprise gateway server converts 
multiple data requests for the messaging and collaboration 
data into a single higher- level data request that is transmitted 
across the data network. The remote gateway server receives 
the request and converts the single high level request back 
into the original multiple request format for presentation to 
the messaging and collaboration database. 

26 Claims, 10 Drawing Sheets 
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CLIENTS REMOTE ACCESS TO 
ENTERPRISE NETWORKS EMPLOYING 
ENTERPRISE GATEWAY SERVERS IN A 
CENTRALIZED DATA CENTER 
CONVERTING PLURALITY OF DATA 
REQUESTS FOR MESSAGING AND 
COLLABORATION INTO A SINGLE 
REQUEST 

BACKGROUND OF THE INVENTION 

I. Field of the Invention 

This invention generally relates to the field of communi- 
cations and information network management. More 
particularly, the present invention relates to a novel system 
that allows remote end users to rapidly and securely access 
information from a variety of subscriber devices using a 
centralized remote data center. 

II. Description of Related Art 

Recent innovations in wireless communication and 
computer-related technologies as well as the unprecedented 
growth of Internet subscribers have provided tremendous 
opportunities in telecommuting and mobile computing. In 
fact, corporate entities and enterprises are moving towards 
providing their workforces with ubiquitous access to net- 
worked corporate applications and data, such as, for 
example, e-mail, address books, appointment calendars, 
scheduling information, etc. 

The problem with providing universal access to propri- 
etary information is one of logistics. For example, it is 
common for an individual to keep sets of addresses on 
different devices, such as work addresses on a personal 
computer used at work, personal addresses on a home 
computer, and commonly called telephone numbers on a 
cellular telephone. Problems arise when the individual is at 
home and wishes to call or fax a work colleague, particularly 
when the individual does not have access to the work 
addresses from the home computer or any other available 
device. Further, different urgent priority items, such as 
urgent e-mails, may be unavailable to a subscriber for an 
extended period of time if the subscriber is equipped only 
with a personal digital assistant (PDA) and a cellular tele- 
phone unable to receive e-mail. 

Along with the problem of maintaining data in various 
locations, users frequently have access to different devices, 
each having different data access abilities and requirements. 
For example, certain cellular telephones have speed dial or 
commonly called telephone numbers, but do not have the 
ability to receive e-mail. Certain cellular telephone handsets 
have the ability to receive alphanumeric pages, but some 
cellular service providers do not support this feature while 
others do. Also, many PDAs do not have the ability to 
receive over-the-air transmissions, but can synchronize with 
a database, such as a database associated with a personal 
computer and/or network. Other PDAs have the ability to 
receive and edit e-mail messages. Some systems or networks 
allow a subscriber to download her e-mail headers to a 
remote device and read some portion or all of the e-mail. 
After reading the e-mail on the remote device, some systems 
delete the e-mail while others maintain the e-mail on the 
system until read or deleted at the home system. Hence the 
ability for a subscriber to access, maintain, and dynamically 
utilize information is heavily dependent on the input device 
employed by the subscriber. 

Further, certain organizations limit access to workers 
having a need to know the information maintained. For 
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example, many corporations control e-mail using a dedi- 
cated server having restricted access, including using fire- 
walls and encryption. Access to this information requires 
making the information available under conditions imposed 

5 and maintained by the corporation. 

For purposes of this application, a corporation or other 
entity, public private, or otherwise, is referred to as an 
"enterprise." As used herein, an enterprise represents any 
entity maintaining or controlling information at a remote 

10 location from a subscriber. Examples of enterprises include 
a secure corporate network, a dedicated server, or a publicly 
accessible web site network. Other enterprises may be 
employed which maintain and control certain information as 
may be appreciated by those of skill in the art. 

15 While certain systems have been employed to provide 
access to information maintained at an enterprise, none have 
provided for access by multiple devices including PDAs, 
cellular telephones, personal computers, laptops, 
MICROSOFT® Windows CE devices, and so forth. Further, 

20 those systems discussed in the literature that provide infor- 
mation access to users employing a limited set of input 
devices have suffered from accessibility and data latency 
problems. Accessibility issues involve providing access to 
the information by only offering access through a corporate 

25 Intranet or other internal access scheme. A subscriber wish- 
ing to review his or her e-mail on a laptop borrowed from a 
colleague frequently is denied access to the corporate infor- 
mation. Further, data latency universally inhibits the ability 
to access data. Users desire a fast response to the informa- 

30 tion they desire, and information on any device that takes 
longer than fifteen seconds to load is undesirable. 

Additionally, certain enterprises wish to have control over 
information maintained on their networks, including main- 

35 taining password and account information for the enterprise 
users. It is therefore undesirable for the enterprise to offer 
sensitive data, such as subscriber information and 
passwords, to outside parties where the data may be com- 
promised. Security issues, such as corporate firewalls and 

4Q encryption of data, must in many instances be maintained 
and controlled by the enterprise rather than a third party. 

Certain enterprises also have particular needs and prefer- 
ences. For example, some corporate enterprises may main- 
tain a network that interfaces with offices in different 

45 countries, and depending on the person accessing the 
information, he or she may have a particular language 
preference. Certain enterprises also find it highly desirable to 
have a reconfigurable interface to provide updated graphics, 
information, and presence to network users. These sub- 

50 scriber interfaces may change rapidly in some industries. A 
system offering information access should therefore be 
readily reconfigurable and offer subscriber interfaces struc- 
tured for the enterprise for use on a variety of input devices. 
Such a system should be relatively easy to set up and 

55 maintain, and use readily available hardware and software 
wherever possible. Further, the system should provide for 
data access tracking and efficient security and authorization. 

It is therefore an object of the current invention to provide 
a system for offering convenient and efficient access to data, 

60 including e-mail, calendar/date book, and addresses. These 
terms are commonly known in the art, wherein e-mail 
represents electronic mail deliverable in a recognized 
format, including attachments and other electronic mail 
attributes. Calendar/date book data represents dates of 

65 meetings, appointments, holidays, or other noteworthy 
events maintained in a searchable database type format. 
Addresses represent information associated with contacts, 
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such as the contact's name, title, company, business address, level request and transmits the higher level request over the 

business phone number, business fax number, home address data network. The remote gateway server is also connected 

and/or phone number, cellular phone number, e-mail to the data network and receives the higher-level request 

address, and so forth. Access to the information should from the enterprise gateway server and converts the higher- 

preferably be provided through a central location. 5 level request to the plurality of data requests. The messaging 

It is a further object of this invention to provide for access server hosts messaging and collaboration data and is con- 
to the desired information using any of a variety of input nected to the remote gateway server through a private data 
devices, including but not limited to a personal computer, a network, the private data network connecting the messaging 
laptop computer, a PDA, a cellular telephone, a two-way server to the remote gateway server more efficiently than the 
pager, and a MICROSOFT® Windows CE device. 10 data network that connects the enterprise gateway server to 

It is still a further object of the present invention to the remote gateway server, the messaging server providing 

provide a system which recognizes the type of device messaging and collaboration data to the remote gateway 

addressing and requesting the information and to provide the server in res P onse lo receiving the plurality of data requests, 

information to the device in a proper format in accordance A second aspect of the present invention is directed to a 

with the preferences of the enterprise transmitting the infor- 1S computer system comprising a plurality of elements includ- 

mation. ing an enterprise gateway server and a corporate network 

It is another object of the current invention to provide a con "« :le < i via the Internet. The enterprise gateway server 

central location for enabling a series of users to access f= ludes software that converts a plurality of data requests 

information at various enterprises when said users employ ,„ f or messa S in g ™ d collaborauon data into a single higher 

various input devices. Such a central location should offer 20 l evel re 9 ues ! transmits the higher level request over the 

relatively robust access to the information desired, offer fata network The corporate network receives the higher 

security for information maintained on the enterprise such as level from l hc ^ ter P"se gateway server and con- 

subscriber data and passwords, and provide for authentica- ™ rts ,hc hl S hcr level "* nest t0 ,he P lurah, y of data rec l uests - 

tion and access tracking. corporate network uses the converted plurality of data 

. . 25 requests to query a messaging database that stores messag- 

It is yet another object of the current invention to provide ^ and coUaboration data corre sponding to the plurality of 

an interconnect.™ between a central data location and an data „ frQm the enteprise t and returns 

enterprise such that the interconnection can quickly, reliably, .u- «r . < «u « — ■ * 

, K- . - . , . ^ , , J ' the results of the query to the enterprise gateway server. 

and efficiently transfer information, such as e-mail, calendar, c , , r . 

and address data, between the central data location and the 30 . 0ther ob ^' features ' and advaDta S es ° f the present 

enterprise invention will become more apparent from a consideration 

. . , of the following detailed description and from the accom- 

It is a further object of the current mvention to provide a panying drawings 

remote enterprise architecture that supports inquiries from 

and responses to the central data location for use in a BRIEF DESCRIPTION OF THE DRAWINGS 

multiple subscriber and multiple input device data access 35 ™ . , . , 

scheme. The remote enterprise architecture should permit T" 6 a^companymg drawings which are incorporated in 

. , . <u • f *• j * • ■ e <l and constitute a part of this Specification, illustrate an 

rapid access to the information and transmission of the a „u~a~ * e A, *■ j . A. .i_ 

. % ... , • . * * n ,, embodiment of the invention and, together with the 

information while simultaneously maintaining firewall, , . , . - . * j \ 

, ' & description, explain the objects, advantages, and princip es 

secunty, and encryption requirements. c . V. r t . . J . ' & ' r r 

, * J a of the invention. In the drawings: 

It is still a further object of the current invention to 40 cin i •„ . i i- .l 

. , . . ^ , . J u .... . t c FIG. 1 is a conceptual diagram representing the major 

provide architectures which are reliable and easy to use from .„ r #u . 

f_ » c j l j j- . . components oi the system; 

both a software and hardware standpoint, and utilize where -.^ 1A . . . . . 

possible existing components to minimize system costs, , FIG " 1 A i R a le ™l block diagram depicting the basic 

r . , , elements of an embodiment of the present system; 

It is yet a further object of the current system to provide „ Tj ^ ir> . .... . • • 

a subscriber interface that is readily reconfigurable by an 45 , nG - 1B « a ^ le / eI block diagram depicting various 

enterprise maintaining the information. Further, the sub- ele ™ of an exem P lar y communication system interfac- 

scriber interface should preferably provide enterprise data mg Wlth a remole dala cenler; 

on various input devices and take into account enterprise and FIG - 1C * a hl & h levcl block d »agram depicting the 

subscriber preferences when interfacing with a subscriber. architecture of a remote data center; 

It is another object of the current invention to provide a 50 . FIG * 2 15 a factional block diagram depicting the authen- 

business model for supplying users with access to e-mail, tication process; 

calendar, and address information in a multiple input device FIG - 3 ^ a m S n leveI block diagram illustrating the basic 

environment when the desired information is maintained at elements of the EGS; 

a remote enterprise. 55 FIG. 4 is high level diagram depicting the connectivity 

between a data center and a plurality of enterprise network 

SUMMARY OF THE INVENTION servers; 

Accordingly, there is herein provided a computer system FIGS. 5A, 5B are block diagrams illustrating embodi- 

for providing access to information maintained on an enter- ments of the implementation of a Virtual Private Network 

prise network. 60 interconnecting a data center and an enterprise network; 

One aspect of the present invention is directed lo a FIG. 6 is a diagram depicting the architecture of the RGS 

computer system comprising a plurality of components; software components; 

including a data network, an enterprise gateway server, a FIGS, 7 A and 7B are diagrams depicting alternative 

remote gateway server, and a messaging server. The enter- embodiments of the communications between a messaging 

prise gateway server is connected to the data network and 65 server and an EGS; and 

includes software that converts a plurality of data requests FIG. 8 illustrates the customization initialization proce- 

for messaging and collaboration data into a single higher dure. 
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DETAILED DESCRIPTION OF THE 
PREFERRED EMBODIMENTS 

The following detailed description of the embodiments of 
the present invention refers to the accompanying drawings 5 
that illustrate these. Other embodiments are possible and 
modifications may be made to the embodiments without 
departing from the spirit and scope of the invention. 
Therefore, the following detailed description is not meant to 
limit the invention. Rather, the scope of the invention is 
defined by the appended claims. 

It will be apparent to one of ordinary skill in the art that 
an embodiment of the present invention, as described below, 
may be realized in a variety of implementations, including 
the software, firmware, and hardware of the entities illus- 15 
trated in the figures (i.e., remote access device 104, BSC/ 
MSC 106 and IWF 108). The actual software code or control 
hardware used to implement the present invention is not 
limiting of the present invention. Thus, the operation and 
behavior of the present invention will be described without 20 
specific reference to the actual software code or hardware 
components. Such non-specific references are acceptable 
because it is clearly understood that a person of ordinary 
skill in the art would be able to design software and control 
hardware to implement the embodiment of the present 25 
invention based on the description herein. 

FIG. 1 presents a conceptual overview of the design of the 
current system. From FIG. 1, a subscriber has access to an 
input device, which may be one from a class of input devices 
10 including, but not limited to, a cellular telephone 11, a 30 
personal digital assistant (PDA) 12, a MICROSOFT® Win- 
dows CE device 13, a desktop personal computer 14, or a 
laptop personal computer 15. Other devices may be 
employed, such as a two-way paging device, while still 
within the scope of the present invention. The important 35 
characteristic of the class of input devices 10 is that each 
device must have the ability to receive information. 

The input device transmits or receives information over a 
data link 16, such as a telephone line, dedicated computer 
connection, satellite connection, cellular telephone network, 40 
the Internet, or other data connection. The data link 16 is 
connected to a data center 17, which offers a central location 
for accessing and processing information from various 
remote enterprise networks 22. Data center 17 provides 
users with access to information or data maintained at the 45 
enterprise networks 22. The data center 17 includes at least 
one web server 18 (e.g., MICROSOFT® Internet Informa- 
tion Server [IIS]) having access to at least one attributes 
database server (e.g., Structured Query Language [SQL] 
server) 19. The IIS server 18 identifies and authenticates the 50 
subscriber and verifies that the subscriber is associated with 
a particular enterprise. The IIS server 18 refers to the SQL 
server 19 for the data necessary to perform these tasks, and 
thus the SQL server 19 performs data storage for account 
access purposes. The IIS servers 18 process individual active 55 
server pages, or ASPs, that provide the requested informa- 
tion back across data link 16 to the user or subscriber. The 
data center 17 transmits data through a dedicated connection 
20, which is preferably an IPSEC tunnel through the 
Internet, or a PPTP connection via the Internet. The dedi- 60 
cated connection 20 is provided through data transmission 
media 21, which may be the Internet, a Wide Area Network 
(WAN), or any other media used for server communication. 
The dedicated connection 20 provides the robustness nec- 
essary to update the subscriber and provide information in a 65 
reasonable time period. Use of a connection that is not 
dedicated can result in delays and service disruptions, and 
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the Internet provides an example of a powerful and readily 
accessible data transmission media. Addition of enterprise 
networks 22 or data centers 17 to an arrangement employing 
the Internet is relatively simple. Note also that data link 16 
may also employ the Internet for subscriber access to the 
data center 17. 

In operation, the subscriber must first access the data 
center 17 using an access arrangement, such as a password 
verifying his or her identity. The subscriber makes a request 
into the subscriber device, such as a cellular telephone, to 
view data, such as his or her e-mail. The IIS server 18 
receives the request via the data link 16 and passes the 
request through the dedicated connection 20 and on to the 
enterprise network 22, The enterprise network 22 processes 
the request for e-mail and obtains the necessary data pur- 
suant to the subscriber preferences provided by the SQL 
server in the data center 17, For example, the subscriber is 
presumed to have established that if he or she desires e-mail 
through his or her cellular telephone, the information pro- 
vided should be only the first ten messages, alphabetized by 
the last name of the sender. In such a situation, the enterprise 
network 22 obtains the requisite information and transmits 
the data back through the dedicated connection 20, to the 
data center 17, and to the subscriber via data link 16 to the 
requesting subscriber input device. To accomplish this, the 
enterprise network 22 must include a server having a 
scalable, reliable and secure data access platform, such as 
MICROSOFT® Exchange Server, for ready access to the 
requested e-mail, calendar, or contact information. 

FIG. 1A illustrates an embodiment of the present inven- 
tion. The embodiment allows subscribers to securely and 
remotely access a centralized data center 190, which acts as 
an intermediary to facilitate subscriber information residing 
in an independent enterprise network 403 in real time. In one 
implementation, a subscriber, by virtue of a remote access 
device 104, makes a request, across a network 100, to a data 
center 190, to supply subscriber information (e.g., messag- 
ing and collaboration information, such as electronic mail, 
appointment calendars, address/phone books) located in an 
enterprise network 403. The data center 190 receives the 
request, authenticates the subscriber, accesses the enterprise 
network 403, establishes a secure session with the enterprise 
network 403, retrieves the subscriber information, and for- 
mats the information in accordance with the display capa- 
bilities of the remote access device 104. The remote access 
device 104 may be connected to a "wireline" network (e.g., 
personal computer, kiosk, etc.) or may be connected to a 
wireless network (e.g., cellular phones, personal digital 
assistants (PDAs), MICROSOFT® Windows CE device, 
etc). 

In another embodiment, as indicated by FIG. 1A, the data 
center 190 itself provides a central repository for the sub- 
scriber information (dashed-line). As such, the subscriber 
initiates a request in the remote access device 104 and the 
data center 190 receives the request, authenticates the 
subscriber, accesses the subscriber information, and formats 
the information in accordance with the display capabilities 
of the remote access device 104. 

The features and details of the various embodiments of 
the invention will be described below. 

1. Remote Access Devices 

The remote access and retrieval of subscriber information 
resident in the enterprise network 403 is initiated by request- 
ing the information on a remote access device 104. 
Generally, these requests are initiated by inputting an 
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address on a browser (or micro-browser) interface of the 
remote access device 104. The address partially identifies 
the enterprise network 403 that the subscriber is associated 
with (i.e., company, employer, etc.) and the address may be 
in the form of an HTTP URL (Hypertext Transfer Protocol 5 
Uniform Resource Locator), The remote access devices 104 
have communication capabilities, allowing them to interface 
with wireless and wireline communication networks. In one 
implementation, the remote access devices 104 are wireless 
and include devices that are well-known in the art, such as jo 
hand-held wireless phones, Personal Digital Assistants 
(PDAs), MICROSOFT® Windows CE devices, and mobile 
computers. Such devices operate in wireless networks that 
include, but are not limited to PSTN, CDPD, CDMA/IS-95, 
TDMA/IS-136, MOBITEX, and GSM networks. 15 

In addition, these remote access devices 104 generally 
have graphical displays to accommodate their browsing 
capabilities. The remote access devices may use different 
markup languages to interpret, format, and display the 
contents of the retrieved subscriber information. Such lan- 20 
guages may include Hypertext Markup Language (HTML), 
Handheld Markup Language (HDML), Extensible Markup 
Language (XML), Extensible Stylesheet Language (XSL), 
and Wireless Markup Language (WML). 

2. Network Access to Data Center 25 

As stated above, the remote access devices 104 have 
communication capabilities to interface with a variety of 
communication networks including wireless communication 
systems. FIG. IB illustrates the basic elements of a wireless 30 
implementation of network 100 in FIG. 1A. Artisans of 
ordinary skill will readily appreciate that these elements, and 
their interfaces, may be modified, augmented, or subjected 
to various standards known in the art, without limiting their 
scope or function. 35 

In one implementation, the remote access device 104 first 
communicates and sustains a session with a Base Station 
Controller/Mobile Switching Center (BSC/MSC) 106 via 
the wireless interface (i.e., air- link) \) m in accordance with 
a wireless communication network scheme, such as CDPD, 40 
CDMA/IS-95, TDMA/IS-136, MOBITEX, and GSM. The 
BSC/MSC 106 employs a transceiver to transmit to the 
remote access device 104 (i.e., forward link) and receive 
from the remote access device 104 (i.e., reverse link), 
consistent with the wireless network scheme. The BSC/ 45 
MSC 106 supervises, manages, and routes the calls between 
the remote access device 104 and the Inter- Working Func- 
tion (IWF) 108. 

The IWF 108 serves as a gateway between the wireless 
system 100 and other networks. The IWF 108 is coupled to 50 
the BSC/MSC 106 and in many cases it may be co-located 
with the BSC/MSC 106. The IWF 108 provides the session 
between the remote access device 104 and the BSC/MSC 
106 with an IP address, consistent with the well-known 
Internet Protocol (IP). 55 

As is well-known in the art, the IP protocol is a network 
layer protocol that specifies the addressing and routing of 
packets (datagrams) between host computers and specifics 
the encapsulation of data into such packets for transmission. 
Addressing and routing information is affixed in the header 60 
of the packet. IP headers contain 32-bit addresses that 
identify the sending and receiving hosts. These addresses are 
used by intermediate routers to select a path through the 
network for the packet towards its ultimate destination at the 
intended address. Providing the session between the remote 65 
access device 104 and the BSC/MSC 106 with an IP address, 
the session can be intelligently routed to other networks. 
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The IWF 108 is subsequently coupled to a system router 
110, which interfaces with other networks, such as the 
Public Switched Telephone Network (PSTN) and other 
Wide Area Networks (WANs) providing Internet- or secure/ 
unsecure Intranet -based access. 

3. Data Center Configuration and Host and 
Enterprise Operations 

Data center 190 acts as an intermediary to remotely and 
securely collect, process, and format the information resid- 
ing in the enterprise network 403 and to present the infor- 
mation on the remote access device 104 in real time. 
Generally, the desired information will be stored in a spe- 
cialized database/messaging server within the enterprise 
network 403, such as, for example, MICROSOFT® 
Exchange Server 5.5. Such a database hosts electronic mail, 
address books, appointment calendars, and is capable of 
groupware functionality. 

As shown in FIG. 1C, the data center 190 comprises an 
interface network 120, a Login subsystem 140, and a Service 
subsystem 160. The interface network 120 employs perim- 
eter router 122 to interface with the wireless communication 
system 100, which transports the IP datagrams between the 
remote access device 104 and the BSC/MSC 106. The 
interface is achieved by virtue of a WAN topology and may 
employ well-known Asynchronous Transfer Mode (ATM), 
Frame Relay, dedicated DS-1 (1.544 Mbps), DS-3 (45 
Mbps) and other topologies. The perimeter router 122 may 
connect to the data center 190 through a firewall 124 to 
provide an added level of protection and further limit access 
to data center 190 from the Internet, Artisans of ordinary 
skill will readily appreciate that generally, firewalls are 
well-known security mechanisms that protect the resources 
of a private network from users of other networks. For 
example, enterprises that allow its own subscribers to access 
the Internet may install a firewall (or firewalls) to prevent 
outsiders from accessing its own private data resources and 
for controlling what outside resources its own subscribers 
have access to. Basically, firewalls filter incoming and 
outgoing network packets to determine whether to forward 
them toward their destination. 

The firewall 124 interfaces with the login subsystem 140. 
As depicted in FIG. 1C, the login subsystem 140 comprises 
a login server (LS) 142, an attributes database server 144. In 
one implementation an external disk array 146 may be used 
to store the database information. 

The firewall 124 is connected to the LS 142. The LS 142 
provides a centralized login site for all subscribers and 
provides the first level of subscriber authentication. As such, 
all sessions stemming from subscribers' remote access 
devices 104 are first handled by the LS 142. The LS 142 is 
configured as a web server, such as MICROSOFT® Internet 
Information Server (IIS) for remote corporate enterprise 
access. The IIS is designed to be tightly integrated with 
MICROSOFT® Windows NT Server, resulting in faster 
Web page serving. The LS 142 may be implemented as a 
single IIS or as a cluster of IISs with load balancing and fault 
tolerant features provided by MICROSOFT® Windows 
Load Balancing Service (WLBS). 

The LS 142 communicates with an attributes database 
server 144, which provides, inter alia, subscriber credential 
profiles to authenticate each subscriber. (The attributes data- 
base server 144 may also contain subscriber display prefer- 
ences and customized enterprise display features). The sub- 
scriber credentials are stored in the external disk array 146, 
which is coupled to the attributes database server 144. The 
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attributes database server 144 may be configured as a 
Structural Query Language (SQL) database server and may 
be implemented as a single server or as a cluster of servers 
with cluster management provided by MICROSOFT® Clus- 
ter Server (MSCS). 5 

FIG. 2 illustrates the LS 142 authentication process. As 
shown in block B205, subscribers input an address or URL, 
corresponding to a enterprise network or sub-network 
therein, in the browser interface of their respective remote 
access devices 104. Generally, inputting a valid URL point- 1Q 
ing to a particular enterprise network 403 in the remote 
access device 104 browser establishes a session between the 
browser and the LS 142. 

The LS 142 responds by sending a message back to the 
remote access device 104 browser, prompting the subscriber 
to supply login credentials and a personal identification 15 
number (PIN), as indicated in block B210. The login cre- 
dentials may include subscriber- name and password while 
the PIN is used as a second level of authentication by the 
enterprise network 403. In block B215, the LS 142 examines 
the login credentials. The LS 142 then determines, as shown 20 
in block B220, whether the account is locked out. As a 
security measure, an account is locked out if a predeter- 
mined number (e.g., 3) of successive bad login attempts 
occur. If the account is locked out, the LS 142, in block B225 
informs the subscriber that the account has been locked out. 25 
LS 142 examines the information. If the account has not 
been locked out, the LS 142 advances to block B230. 

In block B230, the LS 142 compares the examined login 
credentials with the subscriber credential profile. The sub- 
scriber credential profile contains subscriber-specific 30 
information, which resides in the attributes database server 
144. In block B230, the LS 142 determines whether a match 
exists between the session -provided information and the 
stored credential information. If a match does not exist, the 
LS 142 progresses to block B235, where it first determines 35 
whether the current request constitutes the third bad login 
attempt. If so, the account is locked, as stated above with 
respect to block B240. If the request does not constitute the 
third bad attempt, then the LS 142 advances to block B245, 
where it requests the subscriber to re-input the login in for- 40 
malion and PIN. 

If a match does exist between the session-provided infor- 
mation and the stored credential information, the LS 142 
associates the identified subscriber with a corresponding 
enterprise network 403 (as indicated by the information 45 
contained in the URL, subscriber credentials, or a combi- 
nation thereof), thereby achieving the first level of 
authentication, as depicted in block B250, It is noted that the 
existence of a subscriber in the attributes database server 
144 is preferably keyed to both the entered subscriber-name 50 
and the enterprise network 403 associated with the sub- 
scriber. Accordingly, different enterprise networks 403 can 
have the same subscriber-name. 

Upon successfully authenticating the subscriber, the LS 
142, in block B260, encodes the session with a subscriber- 55 
specific, session-specific, and time/date-specific enterprise 
access code (EAC). This is achieved by providing the 
browser on the remote access device 104 with the EAC as 
well as the address information (i.e., URL) for the dedicated 
server (i.e., EGS), within the service subsystem 160, that 60 
points to the enterprise network 403. The LS 142 then 
informs the dedicated server of the impending session and 
provides the server with the EAC. Subsequently, in block 
B270, the LS 142 dynamically redirects the session to the 
dedicated server and upon recognizing the EAC session, the 65 
dedicated server grants access to the redirected encoded 
session. 


As depicted in FIG. 1C, the data center 190 includes a 
service subsystem 160. The service subsystem 160 com- 
prises a plurality of dedicated web servers, wherein each 
server accesses and services a specific enterprise network 
and a plurality of attributes database servers 166 which 
service the dedicated servers. These dedicated web servers 
are referred to as enterprise gateway servers (EGSs) 164. 
FIG. 3 illustrates that each EGS 164 comprises a 
MICROSOFT® Internet Information Server (IIS) 302, a 
plurality of application interfaces 307, and an associated 
attributes database server 166. Much like the LS 142, the 
EGS 164 may be implemented as a single IIS or as a cluster 
of IISs with load balancing and fault tolerant features 
provided by MICROSOFT® WLBS. 

The application interfaces 307 provide the functionality 
and interoperability between the EGS 164 elements, the LS 
142, and the attributes server 144. The application interfaces 
307 comprise a plurality of COM (Component Object 
Model) objects 308 and Active Server Pages (ASPS) 306 
that are specifically designed to achieve EGS 164 function- 
ality. The COM objects 308 (described in more detail below) 
are reusable program building blocks that can be combined 
with other components in a distributed network to form 
functional applications. The ASPs306 are server-side scripts 
that are capable of generating markup languages, including 
but not limited to HTML, HDML, WML, XSL, XML, etc., 
to perform the dynamic rendering of web content which can 
be delivered to any browser. The ASPs 306 work with in 
conjunction with the COM objects 308 to capture the 
contents of the enterprise network 403 information and 
dynamically output the information on the browser display 
of the remote access device 104. 

The ASPs 306 are designed to first retrieve the subscriber 
display preferences from the attributes database server 144 
to determine how to render the information on the browser 
display of the remote access devices 104. These preferences 
include attributes relating to the formatting, filtering, and 
sorting of the information. By way of example, suppose a 
subscriber wishes to retrieve e-mail information from his 
inbox which is stored in the messaging database server (e.g., 
MICROSOFT® Exchange Server 5.5) within the enterprise 
network 403. After inputting the necessary HTTP URL in 
the remote access device 104 to access the enterprise net- 
work 403, a session is established with the LS 142. The 
HTTP header of the request contains information identifying 
the particular remote access device 104 used in entering the 
URL. An ASP 306 exploits this information to determine 
what type of markup language (e.g., HTML, HDML, WML, 
XSL, XML, etc.) to use in rendering the display of the 
desired e-mail information. 

As stated above, after establishing subscriber 
authentication, the LS 142 redirects the session with a URL 
that points to an ASP associated with a dedicated EGS, along 
with the type of information sought. In this case, the 
redirected URL may read as "enterprise_network_A/ 
email.asp", where "enterprise_network__A" is the name of 
the enterprise network 403 in which the EGS 164 points to 
and "email.asp" points to the ASP 306 responsible for 
retrieving and incorporating the subscriber-specified prefer- 
ences. These preferences identify how the e-mail informa- 
tion in the enterprise network 403 appears on the browser 
display of the remote access device 104. For example, the 
subscriber may want the unread inbox entries to be rendered 
first, followed by the subject of each entry, followed by the 
initials of the sender, followed by the lime and date of 
transmission, etc. In one implementation, these preferences 
may be stored in the attributes data server 166 within the 
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service subsystem 160; in another implementation, these FIG. 4 is high level diagram of data center 190 coupled, 

preferences may be stored in the attributes data server 144 via network 402, to a plurality of enterprise network servers 

within the login subsystem 140. 403. Network 402 may be a network such as the Internet or 

Before retrieving the desired information from the enter- a proprietary local area or wide area network. Data center 

prise network, the ASPs 306 are also responsible for vali- 5 19° links multiple heterogeneous remote devices 104 to one 

dating the session between the EGS 164 and the enterprise of enterprise network servers 403. At the request of one of 

network 403. After being re-directed to a dedicated EGS remote devices 104, data at an associated enterprise network 

164, a Virtual Private Network (VPN) connection is estab- server 403 is transferred over network 402 to data center 

lished to the enterprise network 403 and the session is 1^0, where it is converted to a form suitable for display by 

extended thereto. As described in more detail below, the H> the requesting remote device. 

ASPs 306 must determine whether the VPN connection and Each enterprise network server 403 is a computer or 

the session between the EGS 164 and the enterprise network network of computers managed by a corporation or other 

403 are valid. entity that implements corporate messaging and collabora- 

Finally, the ASPs 306 retrieve the desired information in tion applications such as email, calendar, or contact infor- 

raw form from the enterprise network 403 and format the 15 mation management applications. These applications are 

raw information in accordance with the subscriber prefer- implemented by messaging server 410, which may be a 

ences and remote access 104 device limitations. dedicated messaging and collaboration server such as a 

In addition to acting as an intermediary, the data center servcr MICROSOFT® Exchange Server 5.5 on top 
190 may act as a central repository for the subscriber _ of the MICROSOFT® Windows NT operating system, 
information. In this manner, the data center 190 provides 20 MICROSOFT® Exchange Server and MICROSOFT® Win- 
subscribers with "enterprise-like" functionality by hosting dows are available MICROSOFT® Corporation, of 
subscriber information (e.g., such as e-mail, calendar, and Redmond, Wash. Other known implementations of the mes- 
phone book information) that would otherwise be stored in sa S in S and collaboration servers may equivalently be used, 
an enterprise network 403. This may be achieved by incor- Remote Gateway Servers (RGS) 415 are preferably 
po rating a messaging server, such as MICROSOFT® implemented as servers that act as an intermediary between 
Exchange Server 5.5, within the data center 190. messaging servers 410 and data center 190. Although the 

Much like the "intermediary" case, the subscriber initiates messaging servers 410 could communicate directly with 

a request in the remote access device 104 and the data center dala center 190 ' remote g atewa Y servers 415 provide a layer 

190 receives the request, establishes a session with the LS 30 of abstraction between the messaging servers and the data 

142, and authenticates the subscriber. However, as indicated center 190 enables more efficient communication when 

in FIG. 1C, instead of the LS 142 re-directing the session to communicating over a "slow" network such as the Internet, 

an EGS 164 connected to a remotely-situated enterprise RGSs 415 are bribed in more detail below. RGSs 415 

network 403, the LS 142 accesses the desired subscriber mav optionally not be used, in which case the messaging 

information from the local messaging server 148 within the 35 s*™™ 410 communicate could communicate directly with 

data center 190 that hosts such information. One implemen- data ccnter 19 °- For the reasons discussed below with 

tation includes re-directing the session to a web server 147 reference to FIGS. 7A and 7B, this has been found to be a 

which is coupled to the local messaging server 148, in a less efficient implementation. 

manner similar to the EGS 164. By virtue of the application If network 402 is a public network, such as the Internet, 
interfaces (similar to the EGS application interfaces 307) 40 data transmitted over network 402 is at risk of being 
designed to the provide functionality between the LS 142, intercepted or monitored by third parties. To avoid this 
the attributes server 144, and the messaging server 148, the problem, the data may be encrypted at its transmission site 
desired information is retrieved and rendered in accordance ( e -g-» data center 190 or enterprise network server 403), and 
with the display capabilities of the remote access device 104. correspondingly decrypted at its reception site. By encrypt- 
Further, based on the information received from the 45 in S a11 data tra nsmitted over network 402, data center 190 
remote access device 104, including the HTTP header of the and enterprise servcr 403 effectively communicate with one 
request, the login subsystem 140 determines the type of another as if they were on a private network. This type of 
remote access device addressing the data center 190. The encrypted network communication is called a virtual private 
login subsystem 140, particularly the login server 142, network ("VPN")- 

translates the HTTP header received and provides data and 50 FIGS. 5A and 5B are block diagrams illustrating embodi- 

a subscriber interface in accordance with that device type. ments of the implementation of a VPN between data center 

For example, if the subscriber has indicated her preference 190 and enterprise network 403. The VPN is implemented 

for receiving ten e-mail headers when accessing the system by encrypting information transmitted between EGS 164 

with her remote access device 104, and the login server 142 and its corresponding RGS 415 on enterprise network server 

receives the HTTP header and a request for e-mail, the 55 403. 

system will only seek to transmit ten e-mail headers for the As shown in the embodiment of FIG. 5A, EGS 164 

subscriber. encrypts the transmitted data using software 510 running on 

A n * r> * jr. ' xt * it* lnc EGS. The encrypted data is transmitted over network 

4. Data Center and Enterprise Network Interaction AM • An „ , JK A , , , mxT ~ . 

r 402 and decrypted by dedicated VPN server 515. Data 

As previously discussed, consistent with an aspect of the 60 flowing from enterprise network server 403 to data center 

present invention, the data center 190 retrieves data 190 is similarly encrypted at VPN server 515 and decrypted 

requested by remote access devices 104 from an enterprise by software 510. Firewall 520 may optionally be imple- 

network 403 and returns the requested data, in real time, to mented in conjunction with VPN server 515 to limit unau- 

the remote devices 104 (i.e., the data center acts as an thorized outsiders from accessing the private data resources 

intermediary). A more detailed description of the interaction 65 of enterprise network 403 and to control what outside 

of the data center 190 with the enterprise network 403 will resources users at enterprise 403 have access to. Firewalls 

now be described with reference to FIGS. 4-7. are well known in the art. 
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One example of appropriate encryption/decryption soft- 
ware 510 is software that implements the well known 
Point-to-Point Tunneling Protocol (PPTP). Although PPTP 
software 510 is shown executing on a VPN server 515 and 
EGS 164, it may alternatively be implemented in special 5 
purpose PPTP routers or other network devices. 

FIG. 5B illustrates another embodiment implementing a 
VPN between data center 190 and enterprise network 403. 
This embodiment is similar to the one described with 
reference to FIG. 5A, the primary difference being that the 10 
IPSEC (Internet Protocol Security) standard is used to 
encrypt/decrypt data instead of the PPTP standard. As 
shown, encryption using IPSEC is implemented by a pair of 
complementary routers 525. 

The IPSEC standard is known in the art. In contrast to the 3S 
PPTP standard, the IPSEC standard can provide encryption 
at the session layer or the network packet processing layer. 
PPTP provides encryption at the session layer. Additionally, 
the IPSEC standard offers considerably more options in the 
implementation of bulk encryption or hash algorithms. 

RGS 415 communicates with data center 190 through the 
VPN, Although RGS 415 may be typically present at the 
same location as the corporate network, RGS 415 and data 
center 190 are preferably given limited access to messaging 
server 410 as well as any other corporate servers. In 
particular, RGS 415 is only given the authority to commu- 25 
nicate with messaging server 410 to the extent necessary to 
retrieve and store data related to the messaging and collabo- 
ration applications implemented by messaging server 410. 
Thus, even though RGS 415 may be given limited access to 
messaging server 410 and the rest of enterprise network 403, 30 
it is generally physically located at the site of the enterprise 
network 403. 

FIG. 6 is a diagram of a more detailed architectural view 
of the software components used to implement RGS 415. 

As shown, RGS 415 provides a MAPI (Messaging Appli- 35 
cation Program Interface) interface 602. MAPI 602 is a 
MICROSOFT® Windows program interface that enables 
software objects on RGS 415 to communicate with a MAPI- 
compliant information store, such as MICROSOFT® 
Exchange messaging server 410. MAPI 602 provides the 40 
low level interface between RGS 415 and messaging server 
410. MAPI 602 accesses messaging server 410 based on 
commands from CDO .(Collaboration Data Object) object 
604, CDO 604 is an object in the COM (Component Object 
Model) framework for the development of component soft- 45 
ware objects. COM provides the underlying services of 
interface negotiation, life cycle management (determining 
when an object can be removed from a system), licensing, 
and event services (putting one object into service as the 
result of an event that has happened to another object). 
MAPI, the COM framework, and the CDO object are all 50 
available from MICROSOFT® Corporation. 

CDO 604, in operation, processes requests from data 
center 190 to access messaging server 410. Typical CDO 
requests include requests such as: retrieve the message 
object for a particular email of a particular subscriber, 55 
retrieve the subject of the email, and retrieve the time the 
email was sent. For each of these requests, CDO 604 
accesses messaging server 410, retrieves the requested 
information, and returns the information to the requesting 
entity. 60 

Objects in the conventional COM framework, such as 
CDO 604, are limited to communicating with other objects 
on the same server. COM may be extended to access and use 
resources present at server program objects on other com- 
puters in a network using the DCOM (Distributed Compo- 65 
nent Object Model) framework. DCOM is available from 
MICROSOFT® Corporation. 


CDO 604, operating under DCOM, may be stretched 
across network 402 so that requests for messaging server 
410 are initiated by a CDO object resident in EGS 164. This 
implementation is conceptually illustrated in FIG. 7A, in 
which CDO 701 is shown communicating directly with 
messaging server 410 across the Internet. However, because 
CDO 701 generates multiple individual requests 705 for 
what can often be represented by a single request (e.g., CDO 
701 generates separate network requests to retrieve the 
subject and the time that an email is sent, while practically, 
these requests may both be submitted at the same time), 
delays can occur when accessing messaging server 410. In 
particular, when, as shown in FIG. 7 A, CDO 701 is located 
across a relatively slow or unreliable network such as the 
Internet, generating multiple requests at CDO 701 can cause 
significant delays in the overall response time. For example, 
if there is a quarter second delay associated with transmit- 
ting a request over the Internet, one request for a message 
from message server 410 may be acceptable, while 40 partial 
requests for the same message may result in an unacceptably 
long delay to retrieve the message. 

Consistent with an aspect of the present invention, a 
DCOM stub object 605, executing locally on RGS server 
415, and a DCOM proxy object 607, executing on EGS 
server 164, introduce a layer of abstraction between CDO 
object 604 and EGS server 164. More particularly, DCOM 
stub 605 and DCOM proxy object 607 communicate with 
one another over network 402 using a higher level, less 
messaging intense protocol than that used by CDO 604 
when communicating with messaging server 410. Instead of 
issuing multiple requests over network 402 to retrieve a 
particular e-mail's header, time stamp, priority, and body, 
DCOM proxy 607 may issue a single aggregate request for 
all the information associated with one email, or for the first 
ten emails. DCOM stub 605 receives the single request from 
DCOM proxy 607 and converts it into the appropriate CDO 
calls. Data received back from CDO 604 is similarly aggre- 
gated into the higher level protocol and transmitted back 
across network 402 to DCOM proxy 607. Because CDO 604 
executes locally with messaging server 410, multiple calls to 
the messaging server do not significantly slow system 
response time. 

In addition to handling CDO call aggregation, DCOM 
proxy 607 and DCOM stub 605 manage the connection over 
network 402. Once EGS 164 instantiates DCOM proxy 607, 
DCOM proxy 607 establishes a dedicated VPN session 
connection ("tunnel") 608 between DCOM proxy 607 and 
DCOM stub 605. After establishing a VPN connection, 
DCOM stub 605 receives the subscriber's PIN from DCOM 
proxy 607. The PIN is passed to Lightweight Directory 
Access Protocol (LDAP) object 609, which retrieves a 
locally stored copy of the subscriber's PIN and compares it 
to the copy received from enterprise gateway server 164, By 
comparing PINs at the enterprise, a second level of sub- 
scriber authentication is achieved. The values of the PINs 
are controlled locally at enterprise server 415. Accordingly, 
system administrators at the enterprise server have control of 
the second authentication level, and therefore final control 
over which subscribers are allowed to access the enterprise 
network information. 

From the point of view of EGS 164, CDO object 604 is 
executing locally at data center 190. EGS 164 accesses 
DCOM proxy 607 as if it were a locally executing CDO 
object. Proxy 607 converts the CDO requests from EGS 164 
to the previously mentioned higher level, less message 
intensive protocol, and transmits the request through the 
session tunnel 608 to DCOM stub 605. Thus, calls across 
network 402 are handled transparently to EGS 164. 
Additionally, dropped or lost tunnels to DCOM stub 605 are 
reinitiated by DCOM proxy 607 and DCOM stub 605 
without involving EGS 164. 
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FIG. 7B is a conceptual diagram illustrating the commu- customized elements are inserted into ASPs at specific 

nication path between messaging server 410 and EGS 164 locations, thereby altering the look and feel of the system, 

when DCOM proxy 607 and DCOM stub 605 are used. As In many cases, enterprises do not customize every pos- 

shown, CDO 604 communicates with messaging server 410 sible element of the service but simply change a small subset 

using multiple CDO requests 712. DCOM stub 605 aggre- 5 such as the banner logo and primary colors. In these cases 

gates the results of a number of CDO requests and transmits where many elements are not customized, default values are 

it to DCOM proxy 607 over an encrypted session tunnel. retrieved so that the entire look and feel is preserved when 

Proxy 607 converts the aggregated results into CDO mes- the page is being internally "assembled." 

sages for EGS 164. y^e dements themselves are not fetched directly 

5. Additional Attributes 10 from the SQL Servcr durin S n**™ but are stored 35 a 

structured array of values in memory on the server. Running 

The system further includes the ability to personalize or in memory provides increased performance by minimizing 

customize the subscriber interface based on the status or database queries for custom elements. The customization 

desire of the subscriber or the enterprise network 403. For system "refreshes" itself during runtime by updating the 

example, the party maintaining the enterprise network 403 is in-memory structure arrays from the data in the SQL Server 

may wish to introduce certain graphics or data when a database. Changes to the customization system are therefore 

subscriber logs in or seeks data from the enterprise. Coupled available real-time without the need to restart the system, 

with this is the desire of a subscriber to configure his or her The system maintains a Customization table, which 

account to show certain information; for example, when the includes a correlation between a specific combination of 

subscriber is operating a device at his workplace, he may 20 Carrier, Enterprise and Language and a unique Customiza- 

wish to only receive work related e-mail. Alternately, the tion ID, i.e., [Provider X; Company Y; French Canadian] is 

subscriber may have language preferences or screen style CustomizationID #6. This combination of factors, or Cus- 

preferences that he or she wishes to view on particular tomization ID, is in turn related to a set of customized 

devices. elements. The number and variety of customizable elements 

The subscriber enters his preferences which are stored in 25 can be extensive depending on resource availability, and can 
the SQL server in the login subsystem 140. These features range from the background color of the page to the text 
may include background color, primary and secondary within the subject header of the e-mail in box. The Custom- 
colors, or other preferences for the subscriber interface. ElementNames table maintains the master list of all of the 
When the subscriber accesses the service, the login server customizable elements supported. 


TABLE 1 



CUSTOMELEMENTSNAMES TABLE 

ELEM ENTN AM E 

SortOrdcr Note Example 

Carrie rBannerLog 

1 HTML <img sre- ' images/default/a tt_Jogo.gif '> 

MainBgColor 

1 Hex Color #FFFFFF 

PpcBanncrLogo 

5 Text Revolv Home 

HdmlPhoneAboutTcxt 

4 HDML <LINE> Wireless Knowledge < LINE > LLC 


142 receives the carrier, enterprise, language, and browser 
information from the signal received. 

The set of customizable elements arc identified by a 
sequence called the customization ID. The customization ID 
represents a unique combination of carrier, enterprise and 
language desired by the particular enterprise. When a user 
logs into the system, their customized look and feel is 


The system stores the customized elements are in the 
CustomElements table which maintains a correlation 
between a specific Customization ID and all of the customi- 
zable element names and their associated values. By having 
the CustomElements table track elements as name/value 
pairs, elements may be removed or added without modifying 
the table structure. Element values can be HTML, HDML, 
XML, hex values plain text or any other textual information. 


TABLE 2 

CUSTOMELEMENTS TABLE 


CUSTOMIZATIONID ElementName ElementValue 


1 

Ca rrierBa nner Logo 

<img src="images/de fault/W KBaoner.jpg" 



width«**270" height=* 4 70" border»"0"> 

1. 

PhoneHomeTltle 

Revolv Home 

5 

Ca rrierBa nri erLo go 

<img 



src= M images/bm/Se rv ice Provide rXBa nner.jpg' ' 



width-"300" height-"70" border- M 0"> 

6 

PboneHomeTitle 

Service Provide rXl 


determined by matching their carrier, enterprise and lan- 65 When a user logs in, the system obtains the user's 
guage preferences to the master set of customization IDs. CarrierlD, EnterpriselD and LanguagelD from her record in 
The system then fetches the matching custom elements. The the Users table. The system then compares these three values 
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against the Customization table, looking for a match. If an ASP. Each page that needs customization must have the 

exact match is not found, the system searches for the closest getElement( ) function included, which returns a string value 

match in the following order of precedence: representing the customization element for a specific Cus- 

a. Look for a matching CarrierlD, EntcrpriscID, and tomization ID. For efficient operation, each occurrence of a 

LanguagelD 5 hard-coded element (HTML or otherwise) must be replaced 

• » if « • j-y . ir\ r* • ■m 1 with the getElement() function. Each web application needs 

b Look for a matching CarnerlD, EnterpnselD and l0 have an ASp page lhat ^ ^ initC \£tomization( ) 

detault language function, passing an argument to display the customized 

c. Look for a matching CarrierlD, no enterprise and contents as they are populated into Application variables. 
LanguagelD 1Q The system further provides for notification in circum- 

d. Look for a matching CarrierlD, no enterprise and stances where the user requests to be notified on a particular 
default language m P ut device under predetermined conditions. When the 
t t i r i* i i a r i subscriber receives a communication that he or she has 

e. Use the default look and feel established to be important, such as an e-mail message 
Based on the closest match, the system determines the having a designation of urgent, the system attempts to nottfy 
CustomizationlD. As may be appreciated, the enterprise is lhe sub scriber. The subscriber states his or her preferences 
dictates certain components of the Customization ID. for notification, such as what events trigger a notification 
Should no enterprise dictated parameters be available, the and which input device or devices should be notified of the 
system may provide the user with the ability to dictate triggering event. These notification indications are main- 
preferences for appearance, and if the user has not indicated tained in the SQL server at the data center 190, and this 
the information, the default appearance is presented to the 20 information is periodically monitored. As may be 
user. appreciated, only certain events will require user notifica- 

Application startup procedures are presented in FIG. 8: tion. With data information limited to e-mail, calendar, and 
On application startup, the system builds the pCustomiza- contacts, notification will not be required for contacts, and 
tionlndex array 801 by parsing the Customization table 802 certain e-mail requests may require notification. Calendar 
and ordering the CustomizationlD 's sequentially. This array 25 items mav also prompt notification. In such circumstances, 
will later be used as an "row index" for the pElementValues the }iStT preference may require monitoring at the remote 
array 806. The system then builds the pElementNames array enterprise by passing the requested notifications to the 
803 by parsing the CustomElementNames table 804. The remote enterprise location. Alternately, notification may 
pElementNames array 803 serves as the "column index" for monii ? T l ?f er rec * uests ? the L data center 190 ' with rec l uests 
the pElementValues array 806. The system then populates 30 f™*™^ transmitted to the enterprise servers. The prob- 
the pElementValues array 806 by parsing the Custom- km T ma * tamm S th f ^m^ion at the data center 190 
ni * . wi oik n u f *u ri 1 and transmitting requests to the enterprise server is over- 
Elements table 805. Each row of the pElementValues array head , n the whefe ^ M {Q {h& 

806 corresponds to a specific element found in the pE e- enterprise ser ver, the enterprise server maintains the prefer- 

mentNames array 803, and each column of the pEle- ences for aU ^ in its domaiQj sucn as notification of an 

mentValues array 806 corresponds to a specific Customiza- 35 urgent e . ma il, and when the condition is true, passes infor- 

tionlD from the pCustomizationlndex array 801. The mation to the data center 190. Data center 190 correlates the 

Custom Elements table 805 is parsed and the values are notification with the various input devices requested to be 

positioned within the pElementValues array 806 according notified by the user, and transmits the data to the user input 

to the ElementName and CustomizationlD for each record. device requested. 

Once the system has populated the pElementValues array 40 A further aspect of the current system is the ability for the 

806, the array is parsed and each row is stored in a variant system to determine the type of device accessing the system, 

array 807. Each variant array is then stored in an Application For example, the system receives information over a data 

variable with the same name as the array element, i.e., line including initialization information, account 

Application("CarricrBanncrLogo"). information, passwords, and so forth, in addition to browser 

Each application includes the customization library in its 45 information. Browser information includes the information 

global variable definitions. This file contains all of the requested for the type of browser used, e.g. a 

functions needed by customization. The Application_ MICROSOFT© Windows CE device indicates that it is 

OnStart subroutine calls the initCustomization( ) function, using a Windows CE compliant browser. Included in the 

which performs the first-run parsing of the database tables browser information is header information from which the 

and the storage of the customized elements into Application 50 data center 190 can determine the type of device transmit- 

variables. This function loads the latest customized elements ting the data. The data center 190 stores the information 

from the database and populates Application variables with expected to be received from a particular browser; for 

variant arrays containing these elements. example, the Netscape browser, used on desktop and laptop 

The system determines the user's CustomizationlD by devices, may include the word "mozilla" in its header 

examining her CarrierlD, EnterpriselD and LanguagelD and 55 information. The data center 190 maintains predetermined 

finding the CustomizationlD that is the closest match. Once expected header parameters for each anticipated input 

the CustomizationlD has been determined, the system com- device. This predetermined information is maintained in the 

pares it to the Customizationlndex array to determine which SQL server. Upon connection between the input device and 

array positions contain the customized elements for this the data center 190, the data center retrieves the browser 

user. This derived value is called the User Customization 60 header information and compares this information with the 

Index value and is stored in a Session variable (or carried predetermined information and, if it determines a match, 

along the • query string for Phone code). The interfaces with the input device with input device specific 

getUserCustomizationlndex( ) function returns a value rep- data, e.g. screen size limitations, colors/greyscale data, and 

resenting the ordinal position of customized elements for the so forth. Thus the system does not require user input to 

particular user. Since all of the customizable elements of the 65 determine the type of device addressing the data center 190 

service are stored as variant arrays within Application vari- and can transmit appropriate input device specific data to the 

ables for each application they are easily accessible from user. 
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Further, as may be appreciated from the foregoing 
description, the data center interacts with the enterprise 
network by transmitting requests to the enterprise network 
and receiving responses therefrom. As may be appreciated, 
a user desiring access to the data center will in most 5 
circumstances also wish to have access to the enterprise 
network. For security reasons, an enterprise network may 
not wish the data center to directly access the enterprise, and 
will not automatically grant access. Most enterprise net- 
works will have firewalls installed to prohibit access by 
unknown parties. 

The system accepts passwords for access to the data 
center and the user logs into the data center. Subsequent to 
this logon, the system knows the enterprise where the user 
may access information based on the user's profile. The user 
then is provided by the data center to the enterprise network, 15 
where the user must log into the enterprise. This will 
typically be a different user name and a different password. 
Certain password evaluation algorithms are employed by the 
data center to guard against access by unauthorized parties. 
However, under all conditions, the data center never obtains 20 
the user's enterprise password, but merely passes the user's 
password through to the enterprise without storing or evalu- 
ating the information. 

The foregoing description of preferred embodiments of 
the present invention provides illustration and description, 2 s 
but is not intended to be exhaustive or to limit the invention 
to the precise form disclosed. Modifications and variations 
are possible consistent with the above teachings or may be 
acquired from practice of the invention. Accordingly, the 
scope of the invention is defined by the claims and their 30 
equivalents. 

What is claimed: 

1. A computer system comprising: 

an enterprise gateway server connected to a data network, 
the enterprise gateway server including software that 35 
converts a plurality of data requests for messaging and 
collaboration data into a single higher level request and 
transmits the higher level request over the data net- 
work; 

a remote gateway server connected to the data network, 40 
the remote gateway server receiving the higher level 
request from the enterprise gateway server and con- 
verting the higher level request to the plurality of data 
requests; and 

a messaging server hosting messaging and collaboration 45 
data and connected to the remote gateway server 
through a private data network, the messaging server 
providing messaging and collaboration data to the 
remote gateway server in response to receiving the 
plurality of data requests. 50 

2. The computer system of claim 1, wherein the data 
network is a public network. 

3. The computer system of claim 2, wherein data trans- 
mitted over the public network is encrypted so as to form a 
virtual private network (VPN) between the enterprise gate- 55 
way server and the remote gateway server. 

4. The computer system of claim 3, wherein the VPN is 
formed with a Point-to-Point Tunneling Protocol (PPTP) 
connection. 

5. The computer system of claim 3, wherein the VPN is 60 
formed using the Internet Protocol Security (IPS EC) stan- 
dard. 

6. The computer system of claim 1, wherein the messag- 
ing and collaboration data is one of email, calendar, or 
contact information. 65 

7. The computer system of claim 1, wherein the data 
network is a private network. 
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8. The computer system of claim 1, wherein the single 
higher level request generated at the enterprise gateway 
server is produced by a Distributed Component Object 
Model (DCOM) proxy program executing at the enterprise 
gateway server. 

9. The computer system of claim 1, wherein a Distributed 
Component Object Model (DCOM) stub program executing 
on the remote gateway server receives the higher level 
request from the enterprise gateway server and converts the 
higher level request to the plurality of data requests. 

10. A computer system comprising: 

an enterprise gateway server connected to a data network, 
the enterprise gateway server including software that 
converts a plurality of data requests for messaging and 
collaboration data into a single higher level request and 
transmits the higher level request; and 

a corporate network connected to the enterprise gateway 
server via the Internet, the corporate network receiving 
the higher level request from the enterprise gateway 
server and converting the higher level request to the 
plurality of data requests, the corporate network using 
the converted plurality of data requests to query a 
messaging database that stores messaging and collabo- 
ration data corresponding to the plurality of data 
requests from the enterprise gateway server, and return- 
ing the results of the query to the enterprise gateway 
server. 

11. The computer system of claim 10, wherein data 
transmitted over the Internet is encrypted so as to form a 
virtual private network (VPN) between the enterprise gate- 
way server and the remote gateway server. 

12. The computer system of claim 11, wherein the VPN 
is formed with a Point-to-Point Tunneling Protocol (PPTP) 
connection. 

13. The computer system of claim 11, wherein the VPN 
is formed using the Internet Protocol Security (IPSEC) 
standard. 

14. The computer system of claim 10, wherein the mes- 
saging and collaboration data is one of email, calendar, or 
contact information. 

15. The computer system of claim 10, wherein the single 
higher level request generated at the enterprise gateway 
server is produced by a Distributed Component Object 
Model (DCOM) proxy program executing at the enterprise 
gateway server. 

16. The computer system of claim 10, wherein a Distrib- 
uted Component Object Model (DCOM) stub program 
executing on the remote gateway server receives the higher 
level request from the enterprise gateway server and con- 
verts the higher level request to the plurality of data requests. 

17. An apparatus comprising: 

means for converting a plurality of data requests for 
messaging and collaboration data into a single higher 
level request in an enterprise gateway server; 

means for transmiting the higher level request over a data 
network; 

means for receiving the higher level request in a remote 

gateway server; 
means for converting the higher level request to the 

plurality of data from the remote gateway server to the 

enterprise gateway server requests; and 
means for providing messaging and collaboration data in 

response to receiving the plurality of data requests. 

18. The apparatus of claim 17, wherein the data network 
is a public network. 

19. The apparatus of claim 18, wherein the data transmit- 
ted over the public network is encrypted so as to form a 
virtual private network (VPN). 
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20. The apparatus of claim 19, wherein the VPN is formed 
with a Point- to-Point Tunneling Protocol (PPTP) connec- 
tion. 

21. The apparatus of claim 19, wherein the VPN is formed 
using the Internet Protocol Security (I PS EC) standard. 5 

22. The apparatus of claim 17, wherein the messaging and 
collaboration data is one of email, calendar, or contact 
information. 

23. The apparatus of claim 17, wherein the data network 

is a private network. 10 

24. The apparatus of claim 17, wherein the single higher 
level request is produced by a Distributed Component 
Object Model (DCOM) proxy program. 

25. The apparatus of claim 17, wherein a Distributed 
Component Object Model (DCOM) stub program receives is 
the higher level request and converts the higher level request 

to the plurality of data requests. 
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26. An apparatus comprising: 

means for converting a plurality of data requests for 
messaging and collaboration data into a single higher 
level request in an enterprise gateway server; 

means for transmiting the higher level request; 

means for receiving the higher level request; 

means for converting the higher level request to the 
plurality of data requests; 

means for using the converted plurality of data requests to 
query a messaging database that stores messaging and 
collaboration data corresponding to the plurality of data 
requests from the enterprise gateway server; and 

means for returning the results of the query lo the enter- 
prise gateway server. 

***** 
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